Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Need rules to foward HTTPS traffic based on source IP

I have a Cisco ASA 5505, and I'm trying to forward HTTPS traffic to one internal server if it comes from either of two external networks (i.e. X.Y.0.0/16 and C.0.0.0/8), and to a different server if it comes from anywhere else.

Can anyone provide me with the Policy Static PAT (?) or whatever commands to accomplish this?  Thanks!

Everyone's tags (6)
2 REPLIES
Cisco Employee

Re: Need rules to foward HTTPS traffic based on source IP

CSCso79009    ENH: Policy static nat should check inbound source IP address w/ACL
This defect is not resolved yet.

It may not work for you if configured. This is how you would configure it though.

static (inside,outside) tcp 1.1.1.1 443 access-list from-server-A

access-list from-server-A per tcp 10.10.1.1 eq 443 A.A.A.A

The above line will make the firewall receive all 443 traffic destined to 1.1.1.1 from the internet address A.A.A.A to the server on the inside 10.10.1.1

static (inside,outside) tcp 2.2.2.2 443 access-list from-all-other-ips

access-list from-all-outher-ips per tcp 10.10.2.2 eq 443 any

The above lines will make the firewall receive all 443 traffic destined to 2.2.2.2 from all other internet addresses to the server on the inside 10.10.2.2

Unfortunately due to the defect this may not work.

-KS

Hall of Fame Super Blue

Re: Need rules to foward HTTPS traffic based on source IP

mattkl3com wrote:

I have a Cisco ASA 5505, and I'm trying to forward HTTPS traffic to one internal server if it comes from either of two external networks (i.e. X.Y.0.0/16 and C.0.0.0/8), and to a different server if it comes from anywhere else.

Can anyone provide me with the Policy Static PAT (?) or whatever commands to accomplish this?  Thanks!

Matt

You can't do this on an ASA. What you need is PBR (Policy Based Routing) which is the ability to forward traffic based on something other than just the destination IP address, in your case the source IP.

But the ASA does not support PBR although believe me a lot of people wish it did. For PBR you need a router.

Jon

441
Views
0
Helpful
2
Replies
CreatePlease to create content